Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0169
Security Advisory: Oracle Java SE
18 July 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Java SE
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-2973 CVE-2018-2972 CVE-2018-2964
CVE-2018-2952 CVE-2018-2942 CVE-2018-2941
CVE-2018-2940 CVE-2018-2938
Member content until: Friday, August 17 2018
OVERVIEW
Multiple vulnerabilities have been identified in
Oracle Java SE, versions 6u191, 7u181, 8u172, 10.0.1
Oracle Java SE Embedded, version 8u171
Oracle JRockit, version R28.3.18
[1]
IMPACT
The vendor has provided the following information regarding
the vulnerabilities:
"This Critical Patch Update contains 8 new security fixes
for Oracle Java SE. All of these vulnerabilities may be
remotely exploitable without authentication, i.e., may be
exploited over a network without requiring user
credentials." [1]
"CVE-2018-2938
9.0
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Supported versions that are affected are Java SE: 6u191,
7u181 and 8u172. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple
protocols to compromise Java SE. While the vulnerability is
in Java SE, attacks may significantly impact additional
products. Successful attacks of this vulnerability can
result in takeover of Java SE. Note: This vulnerability can
only be exploited by supplying data to APIs in the specified
Component without using Untrusted Java Web Start
applications or Untrusted Java applets, such as through a
web service.
CVE-2018-2964
8.3
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Java SE: 8u172 and
10.0.1. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple
protocols to compromise Java SE. Successful attacks require
human interaction from a person other than the attacker and
while the vulnerability is in Java SE, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Java SE.
Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run
untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability
does not apply to Java deployments, typically in servers,
that load and run only trusted code (e.g., code installed by
an administrator).
CVE-2018-2941
8.3
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Java SE: 7u181,
8u172 and 10.0.1. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple
protocols to compromise Java SE. Successful attacks require
human interaction from a person other than the attacker and
while the vulnerability is in Java SE, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Java SE.
Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run
untrusted code (e.g., code that comes from the internet) and
rely on the Java sandbox for security. This vulnerability
does not apply to Java deployments, typically in servers,
that load and run only trusted code (e.g., code installed by
an administrator).
CVE-2018-2942
8.3
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Supported versions that are affected are Java SE: 7u181 and
8u172. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple
protocols to compromise Java SE. Successful attacks require
human interaction from a person other than the attacker and
while the vulnerability is in Java SE, attacks may
significantly impact additional products. Successful attacks
of this vulnerability can result in takeover of Java SE.
Note: Applies to client and server deployment of Java. This
vulnerability can be exploited through sandboxed Java Web
Start applications and sandboxed Java applets. It can also
be exploited by supplying data to APIs in the specified
Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a
web service.
CVE-2018-2972
5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
The supported version that is affected is Java SE: 10.0.1.
Difficult to exploit vulnerability allows unauthenticated
attacker with network access via multiple protocols to
compromise Java SE. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Java SE accessible data.
Note: Applies to client and server deployment of Java. This
vulnerability can be exploited through sandboxed Java Web
Start applications and sandboxed Java applets. It can also
be exploited by supplying data to APIs in the specified
Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a
web service.
CVE-2018-2973
5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Supported versions that are affected are Java SE: 6u191,
7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Difficult
to exploit vulnerability allows unauthenticated attacker
with network access via SSL/TLS to compromise Java SE, Java
SE Embedded. Successful attacks of this vulnerability can
result in unauthorized creation, deletion or modification
access to critical data or all Java SE, Java SE Embedded
accessible data. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web
Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet)
and rely on the Java sandbox for security. This
vulnerability does not apply to Java deployments, typically
in servers, that load and run only trusted code (e.g., code
installed by an administrator).
CVE-2018-2940
4.3
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Supported versions that are affected are Java SE: 6u191,
7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise
Java SE, Java SE Embedded. Successful attacks require human
interaction from a person other than the attacker.
Successful attacks of this vulnerability can result in
unauthorized read access to a subset of Java SE, Java SE
Embedded accessible data. Note: This vulnerability applies
to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that
load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This
vulnerability does not apply to Java deployments, typically
in servers, that load and run only trusted code (e.g., code
installed by an administrator).
CVE-2018-2952
3.7
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Supported versions that are affected are Java SE: 6u191,
7u181, 8u172 and 10.0.1; Java SE Embedded: 8u171; JRockit:
R28.3.18. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple
protocols to compromise Java SE, Java SE Embedded, JRockit.
Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded, JRockit. Note:
Applies to client and server deployment of Java. This
vulnerability can be exploited through sandboxed Java Web
Start applications and sandboxed Java applets. It can also
be exploited by supplying data to APIs in the specified
Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a
web service." [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon
as possible. Until you apply the CPU fixes, it may be
possible to reduce the risk of successful attack by blocking
network protocols required by an attack. For attacks that
require certain privileges or access to certain packages,
removing the privileges or the ability to access the
packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may
break application functionality, so Oracle strongly
recommends that customers test changes on non-production
systems. Neither approach should be considered a long-term
solution as neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2018
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
[2] Text Form of Oracle Critical Patch Update - July 2018 Risk Matrices
http://www.oracle.com/technetwork/security-advisory/cpujul2018verbose-4258253.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW07auGaOgq3Tt24GAQjE7w//cSvOP3BEcZcWzNp3WQzh4hlYZj/0RMLd
yNyXY0/59xHELZdTamTVU9OYXsQy5HMzgNUZg9uaGCBx3vvxNOAs6w+3YLR58Dsf
XCN5ZKVHRU9WAE+/B3RrUxNCP8sYJf06afNE8eepS8JuaVjd/aOc5GU76U3oiHLb
uYwTHJxUPhDWgqWc9Sd98TbXDKF1Yv08Vv6ZNeD74MHlvyVoRlOgiw877M+HbWY2
HFFAxtwCHD68rSGKWooHdPgy6e2ZXjUryrEuRcuFFZ7tNeHHS/1oABd6vlatBYtA
n+8lwidiUiBOmbymxSNvIKIReJHO2gn84jXZ2EKX3pucKr1MslP7ZiP1+5GpVseo
vf4idVzPTvVnt5Guo/GP985yios5nFq6df9N1kdjcLxFzMqihSUjVhmR6zwJuqCU
4Jt9fBRL6Fsz5fJH2q9xxCGuyInP7STUrnuP2WUHMU7lLtJybsRa9PHxcKHXrGes
R5OCO7m6YwB87MIMNubhzfSJsQboQPGqLAZskEBRDeybw+PHKpaPRvsGPk3067T+
EVPZv6dszma6IUTqoX5ySeMvDBxk9lV8emLZRCFL7TFLEnxCY1w6UqZOB4Mxy8ho
1Fr/rv9JHryYwHIBl/yhtfc2QvuZyhZmiPnpbtprUVDWQUmYWiP94ZVuZKqUlyIR
R/o+o2YCo6I=
=AqLo
-----END PGP SIGNATURE-----